From de6ab11f7f7f1ab1135e3203e664c68ee2796755 Mon Sep 17 00:00:00 2001 From: multiOTP Date: Sun, 1 May 2022 22:11:29 +0200 Subject: [PATCH] Update README.md formatting Update the formatting of README.md Thanks @sashaqwert for the feedback --- README.md | 116 +++++++++++++++++++++++++++--------------------------- 1 file changed, 58 insertions(+), 58 deletions(-) diff --git a/README.md b/README.md index c82260c..861bcc0 100644 --- a/README.md +++ b/README.md @@ -3,11 +3,11 @@ multiOTPCredentialProvider multiOTP Credential Provider for multiOTP is a free and open source implementation of a V2 Credential Provider for the multiOTP strong two-factor authentication solution (Apache License, Version 2.0) (c) 2016-2022 SysCo systemes de communication sa (enhancements since 2016 and simple installer with configuration options) -(c) 2017-2021 NetKnights GmbH +(c) 2017-2021 NetKnights GmbH (c) 2015-2016 ArcadeJust ("RDP only" enhancement) (c) 2013-2015 Last Squirrel IT -Current build: 5.8.7.0 (2022-04-28) +Current build: 5.8.7.0 (2022-04-28) The binary download page is available here : https://download.multiotp.net/credential-provider/ (download link are at the bottom of the page) @@ -39,11 +39,11 @@ PREREQUISITES MANUAL INSTALLATION =================== -Launch the installer (in the installer directory) and configure the various parameters during the setup. You must have administrator access to successfully install the multiOTP Credential Provider. -Which Authenticatio Mode should I choose? - "OTP authentication mandatory for remote remote desktop only" User must have OTP only when the login is done using remote desktop (mstsc). User logs in locally on the computer with the Windows password only. - "OTP authentication mandatory for local logon and remote desktop" User must have OTP when login is done using remote desktop (mstsc) or when it's done locally on the computer. - "OTP and std auth. for local and remote (to check OTP validation)" User can login with OTP or without OTP using remote desktop (mstsc) or locally on the computer. +Launch the installer (in the installer directory) and configure the various parameters during the setup. You must have administrator access to successfully install the multiOTP Credential Provider. +Which Authentication Mode should I choose? +* "OTP authentication mandatory for remote remote desktop only" User must have OTP only when the login is done using remote desktop (mstsc). User logs in locally on the computer with the Windows password only. +* "OTP authentication mandatory for local logon and remote desktop" User must have OTP when login is done using remote desktop (mstsc) or when it's done locally on the computer. +* "OTP and std auth. for local and remote (to check OTP validation)" User can login with OTP or without OTP using remote desktop (mstsc) or locally on the computer. MSI DEPLOYMENT @@ -53,36 +53,36 @@ If it's not the case, you can deploy them automatically using the four MSI provi Using Orca, you can create Transform files in order to set the settings of the credential provider. The following properties can be set : - MULTIOTP_TIMEOUT Number of seconds to wait for the multiOTP server response. Default value 5. - MULTIOTP_CACHE 0|1 1 to enable local cache. - MULTIOTP_CPUSCREDUI run as admin mode (0 or 1 or 2 + e or d for example 1e) - MULTIOTP_TIMEOUTCP Number of seconds to wait for the credentail provider to respond. Default value 60. - MULTIOTP_TWO_STEP_HIDE_OTP 0|1 1 to force the credential to request an OTP password in a second step. - MULTIOTP_TWO_STEP_SEND_PASSWORD 0|1 1 to enable the credential to request an OTP password by SMS or e-mail. - MULTIOTP_CPUSLOGON logon mode (0 or 1 or 2 + e or d for example 1e) - MULTIOTP_CPUSUNLOCK unlock mode (0 or 1 or 2 + e or d for example 1e) - MULTIOTP_DISPLAYSMSLINK 0|1 1 to enable the sms link on the OTP authentication page. - MULTIOTP_DISPLAYEMAILLINK 0|1 1 to enable the e-mail link on the OTP authentication page. - MULTIOTP_LOGINTEXT text displayed underneath the credential logo. - MULTIOTP_BITMAP_PATH The complete path and filename of the bmp image. Size must be 128x128 pixels. - MULTIOTP_URL FQDN of the multiOTP server for example https://192.168.1.188 - MULTIOTP_SECRET Secret shared with the smultiOTP server. - MULTIOTP_OTP_TEXT Text displayed in the OTP field. - MULTIOTP_OTP_HINT_TEXT Text displayed when prompted to enter the OTP in the second step. - MULTIOTP_OTP_FAIL_TEXT Text displayed when OTP code is not valid. - MULTIOTP_EXCLUDED_ACCOUNT Specify an account that should be excluded from 2FA. For example contoso\backdoor - MULTIOTP_UPNFORMAT 0|1 1 to use UPN format (kevin@test.com instead of kevin) for the username when credential provider calls multiOTP. +* MULTIOTP_TIMEOUT Number of seconds to wait for the multiOTP server response. Default value 5. +* MULTIOTP_CACHE 0|1 1 to enable local cache. +* MULTIOTP_CPUSCREDUI run as admin mode (0 or 1 or 2 + e or d for example 1e) +* MULTIOTP_TIMEOUTCP Number of seconds to wait for the credentail provider to respond. Default value 60. +* MULTIOTP_TWO_STEP_HIDE_OTP 0|1 1 to force the credential to request an OTP password in a second step. +* MULTIOTP_TWO_STEP_SEND_PASSWORD 0|1 1 to enable the credential to request an OTP password by SMS or e-mail. +* MULTIOTP_CPUSLOGON logon mode (0 or 1 or 2 + e or d for example 1e) +* MULTIOTP_CPUSUNLOCK unlock mode (0 or 1 or 2 + e or d for example 1e) +* MULTIOTP_DISPLAYSMSLINK 0|1 1 to enable the sms link on the OTP authentication page. +* MULTIOTP_DISPLAYEMAILLINK 0|1 1 to enable the e-mail link on the OTP authentication page. +* MULTIOTP_LOGINTEXT text displayed underneath the credential logo. +* MULTIOTP_BITMAP_PATH The complete path and filename of the bmp image. Size must be 128x128 pixels. +* MULTIOTP_URL FQDN of the multiOTP server for example https://192.168.1.188 +* MULTIOTP_SECRET Secret shared with the smultiOTP server. +* MULTIOTP_OTP_TEXT Text displayed in the OTP field. +* MULTIOTP_OTP_HINT_TEXT Text displayed when prompted to enter the OTP in the second step. +* MULTIOTP_OTP_FAIL_TEXT Text displayed when OTP code is not valid. +* MULTIOTP_EXCLUDED_ACCOUNT Specify an account that should be excluded from 2FA. For example contoso\backdoor +* MULTIOTP_UPNFORMAT 0|1 1 to use UPN format (kevin@test.com instead of kevin) for the username when credential provider calls multiOTP. Copy the MSI and MST files to a share which is accessible in Read-Execute for every computers -Create a GPO that applies to the selected computers, adding the following settings: - Computer Settings > Administrative Templates > System > Logon - Always wait for the network at computer startup and logon - Enabled +Create a GPO that applies to the selected computers, adding the following settings: +* Computer Settings > Administrative Templates > System > Logon + * Always wait for the network at computer startup and logon - Enabled -Create a second GPO that applies to the selected computers, adding the following settings: - Computer Configuration > Policies > Administrative Templates > System > Group Policy - Enable the Specify startup policy processing wait time. Set Amount of time to wait (in seconds): = 120 +Create a second GPO that applies to the selected computers, adding the following settings: +* Computer Configuration > Policies > Administrative Templates > System > Group Policy + * Enable the Specify startup policy processing wait time. Set Amount of time to wait (in seconds): = 120 If x86 AND x64 MSVC++ redistributable are not already installed on those computers, create a GPO to deploy the 4 x86 AND x64 MSVC++ redistribuable files. @@ -90,7 +90,7 @@ create a GPO to deploy the 4 x86 AND x64 MSVC++ redistribuable files. Finaly, create a GPO that applies to the selected computers to deploy the MSI with its MST file To force to apply the GPO on the selected computers: -gpupdate /force /boot on each computer, using administrator privilege +* gpupdate /force /boot on each computer, using administrator privilege LOCAL ONLY STRONG AUTHENTICATION INSTALLATION @@ -123,7 +123,7 @@ TECHNICAL DETAILS (registry entries have priority over multiotp.ini file entries): HKEY_CLASSES_ROOT\CLSID\{FCEFDFAB-B0A1-4C4D-8B2B-4FF4E0A3D978} - the previous registry keys (up to 5.8.1.x) are converted to the new values - the available registry keys are - cpus_logon Logon authentication type [0|1|2|3][e|d] + * cpus_logon Logon authentication type [0|1|2|3][e|d] 0: relevant for remote (RDP) and local operation 1: relevant for remote operation 2: relevant for local operation @@ -132,30 +132,30 @@ TECHNICAL DETAILS d: In addition all other credential providers are available. Example: cpus_logon = 0e: Only the multiOTP Credential Provider is available for Logon via remote and locally. - cpus_unlock Unlock authentication type [0|1|2|3][e|d] - cpus_credui Authentication in Windows authentication type (when action requires admin rights for example) [0|1|2|3][e|d] - excluded_account Specify an account that should be excluded from 2FA. The format is required to be domain\username or computername\username. - login_text Specify the text that is displayed underneath the Credential Provider logo and on the right side where available credentials arelisted. - multiOTPCacheEnabled [1|0], used directly by multiOTP - multiOTPDefaultPrefix [Default computer/domain, default is '']. multiOTP use automatically the domain name as default, or computer - name if the computer is not in a domain. You can set here a manual default computer/domain, like for example '.' - multiOTPDisplaySmsLink [0|1] - multiOTPDisplayEmailLink [0|1] - multiOTPServers [multiOTP server(s) to contact, default is 'https://192.168.1.88'], used directly by multiOTP - multiOTPServerTimeout [timeout in seconds before switching to the next server, default is 5], used directly by multiOTP - multiOTPSharedSecret [secret to connect this client to the server, default is 'ClientServerSecret'], used directly by multiOTP - multiOTPTimeout [timeout in seconds, default is 60] - multiOTPUPNFormat [0|1] Set to 1 to use UPN username (kevin@test.com) instead of username (kevin) - two_step_hide_otp [0|1] Set to 1 if the Credential Provider should ask for the user's OTP in a second step. In the first step the - user will only be asked for the password. - two_step_send_password [0|1] Set to 1 if the Credential Provider should send the user's password to the multiOTP server - two_step_send_empty_password [0|1] Set to 1 if the Credential Provider should send an empty password to the multiOTP server - otp_text Speficy the text that is displayed in the OTP input field. Usually this is "One-Time Password", but you can change it - to any other value you like. - otp_hint_text Speficy the text that is displayed when prompted to enter the OTP in the second step. - otp_fail_text Specify a custom text that is shown when the OTP verification failed. - v1_bitmap_path The complete path and filename of a bitmap image. This is a customized login image. The image must be a version 3 - Windows BMP file with a resolution of 128x128 pixels. + * cpus_unlock Unlock authentication type [0|1|2|3][e|d] + * cpus_credui Authentication in Windows authentication type (when action requires admin rights for example) [0|1|2|3][e|d] + * excluded_account Specify an account that should be excluded from 2FA. The format is required to be domain\username or computername\username. + * login_text Specify the text that is displayed underneath the Credential Provider logo and on the right side where available credentials arelisted. + * multiOTPCacheEnabled [1|0], used directly by multiOTP + * multiOTPDefaultPrefix [Default computer/domain, default is '']. multiOTP use automatically the domain name as default, or computer + name if the computer is not in a domain. You can set here a manual default computer/domain, like for example '.' + * multiOTPDisplaySmsLink [0|1] + * multiOTPDisplayEmailLink [0|1] + * multiOTPServers [multiOTP server(s) to contact, default is 'https://192.168.1.88'], used directly by multiOTP + * multiOTPServerTimeout [timeout in seconds before switching to the next server, default is 5], used directly by multiOTP + * multiOTPSharedSecret [secret to connect this client to the server, default is 'ClientServerSecret'], used directly by multiOTP + * multiOTPTimeout [timeout in seconds, default is 60] + * multiOTPUPNFormat [0|1] Set to 1 to use UPN username (kevin@test.com) instead of username (kevin) + * two_step_hide_otp [0|1] Set to 1 if the Credential Provider should ask for the user's OTP in a second step. In the first step the + user will only be asked for the password. + * two_step_send_password [0|1] Set to 1 if the Credential Provider should send the user's password to the multiOTP server + * two_step_send_empty_password [0|1] Set to 1 if the Credential Provider should send an empty password to the multiOTP server + * otp_text Speficy the text that is displayed in the OTP input field. Usually this is "One-Time Password", but you can change it + to any other value you like. + * otp_hint_text Speficy the text that is displayed when prompted to enter the OTP in the second step. + * otp_fail_text Specify a custom text that is shown when the OTP verification failed. + * v1_bitmap_path The complete path and filename of a bitmap image. This is a customized login image. The image must be a version 3 + Windows BMP file with a resolution of 128x128 pixels. THANKS TO